[PATCH 9/9] commands: add avb_pvalue command

Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> · Wed, 12 Mar 2025 13:16:24 +0100

Android Verified Boot (AVB( 2.0 spec. revision 1.1 introduces support
for named persistent values that must be tamper evident and allows AVB
to store arbitrary key-value pairs.

This patch introduces a command to access this variable store. Variables
can be read into a file or an environment variable or printed as
hexdump. Variables can be written from file content or a string from the
command line.

Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
---
 commands/Kconfig      |  13 +++++
 commands/Makefile     |   1 +
 commands/avb_pvalue.c | 138 ++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 152 insertions(+)

diff --git a/commands/Kconfig b/commands/Kconfig
index e41625e294..3d87ba5e09 100644
--- a/commands/Kconfig
+++ b/commands/Kconfig
@@ -2254,6 +2254,19 @@ config CMD_2048
 	help
 	  Console version of the game "2048" for GNU/Linux
 
+config CMD_AVB_PVALUE
+	depends on OPTEE_AVB_PERSISTENT_VALUES
+	tristate
+	prompt "avb_pvalue"
+	help
+	  The avb_pvalue command provides access to the Android Verified Boot (AVB)
+	  persistent value store.
+
+	  AVB 2.0 spec. revision 1.1 introduces support for named persistent values
+	  that must be tamper evident and allows AVB to store arbitrary key-value
+	  pairs.
+
+
 config CMD_BAREBOX_UPDATE
 	tristate
 	select BAREBOX_UPDATE
diff --git a/commands/Makefile b/commands/Makefile
index e152e4148b..7a635e8791 100644
--- a/commands/Makefile
+++ b/commands/Makefile
@@ -3,6 +3,7 @@
 obj-$(CONFIG_STDDEV)		+= stddev.o
 obj-$(CONFIG_CMD_DIGEST)	+= digest.o
 obj-$(CONFIG_COMPILE_HASH)	+= hashsum.o
+obj-$(CONFIG_CMD_AVB_PVALUE)	+= avb_pvalue.o
 obj-$(CONFIG_CMD_BOOTM)		+= bootm.o
 obj-$(CONFIG_CMD_UIMAGE)	+= uimage.o
 obj-$(CONFIG_CMD_LOADB)		+= loadb.o
diff --git a/commands/avb_pvalue.c b/commands/avb_pvalue.c
new file mode 100644
index 0000000000..adc44321fb
--- /dev/null
+++ b/commands/avb_pvalue.c
@@ -0,0 +1,138 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include <command.h>
+#include <getopt.h>
+#include <libfile.h>
+#include <fs.h>
+#include <xfuncs.h>
+#include <linux/sizes.h>
+#include <tee/avb.h>
+#include <linux/ctype.h>
+#include <environment.h>
+
+static int do_avb_pvalue(int argc, char *argv[])
+{
+	size_t out = 0x13;
+	void *buf = NULL;
+	int ret = 0, rc = COMMAND_ERROR;
+	int opt;
+	const char *write_varname = NULL, *read_varname = NULL;
+	void *val = NULL;
+	size_t size;
+	const char *filename = NULL;
+	const char *varname = NULL;
+	const int bufsize = SZ_8K;
+
+	while ((opt = getopt(argc, argv, "r:w:f:")) > 0) {
+		switch(opt) {
+		case 'r':
+			read_varname = optarg;
+			break;
+		case 'w':
+			write_varname = optarg;
+			break;
+		case 'f':
+			filename = optarg;
+			break;
+		default:
+			return COMMAND_ERROR_USAGE;
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+
+	if (!read_varname && !write_varname)
+		return COMMAND_ERROR_USAGE;
+
+	if (read_varname && write_varname)
+		return COMMAND_ERROR_USAGE;
+
+	if (write_varname) {
+		if (argc >= 1)
+			val = argv[0];
+
+		if (filename) {
+			ret = read_file_2(filename, &size, &buf, FILESIZE_MAX);
+			if (ret) {
+				printf("Cannot read %s: %pe\n", read_varname, ERR_PTR(ret));
+				return COMMAND_ERROR;
+			}
+		} else {
+			if (!val)
+				return COMMAND_ERROR_USAGE;
+			size = strlen(val) + 1;
+			buf = xstrdup(val);
+
+		}
+		ret = avb_write_persistent_value(write_varname, size, buf);
+		if (ret) {
+			printf("Cannot write variable %s: %pe\n", read_varname, ERR_PTR(ret));
+			goto err;
+		}
+	}
+
+	if (read_varname) {
+		if (argc >= 1)
+			varname = argv[0];
+
+		buf = xzalloc(bufsize);
+
+		ret = avb_read_persistent_value(read_varname, SZ_8K, buf, &out);
+		if (ret) {
+			printf("Cannot read variable %s: %pe\n", read_varname, ERR_PTR(ret));
+			rc = COMMAND_ERROR;
+			goto err;
+		}
+
+		if (filename) {
+			ret = write_file(filename, buf, out);
+			if (ret) {
+				printf("Cannot write %s: %pe\n", filename, ERR_PTR(ret));
+				rc = COMMAND_ERROR;
+				goto err;
+			}
+		} else if (varname) {
+			unsigned char *str = buf;
+			int i;
+
+			str[bufsize - 1] = 0;
+	
+			for (i = 0; i < out; i++)
+				if (!isprint(str[i]))
+					break;
+
+			str[i] = 0;
+
+			setenv(varname, buf);
+		} else {
+			memory_display(buf, 0, out, 1, 0);
+		}
+	}
+
+	rc = 0;
+
+err:
+	free(buf);
+
+	return rc;
+}
+
+BAREBOX_CMD_HELP_START(avb_pvalue)
+BAREBOX_CMD_HELP_TEXT("This command provides access to the AVB persistent variable store.")
+BAREBOX_CMD_HELP_TEXT("usage:")
+BAREBOX_CMD_HELP_TEXT("avb_pvalue [OPTION]... [VARNAME/VALUE]")
+BAREBOX_CMD_HELP_TEXT("")
+BAREBOX_CMD_HELP_TEXT("Options:")
+BAREBOX_CMD_HELP_OPT ("-r <varname>",  "read variable <varname>. read value into [VARNAME] if given")
+BAREBOX_CMD_HELP_OPT ("-w <varname>",  "write variable <varname>. Set to [VALUE] if given")
+BAREBOX_CMD_HELP_OPT ("-f <file>",  "read/write value from/to file")
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(avb_pvalue)
+	.cmd            = do_avb_pvalue,
+	BAREBOX_CMD_DESC("AVB persistent variable store")
+	BAREBOX_CMD_OPTS("[-rwf] [VARNAME/VALUE]")
+	BAREBOX_CMD_HELP(cmd_avb_pvalue_help)
+	BAREBOX_CMD_GROUP(CMD_GRP_CONSOLE)
+BAREBOX_CMD_END

-- 
2.39.5








